« Back to home

Basic Security Actions For Any Application

Posted on

In my career as a software consultant I encountered several mobile and web applications written by partners, customers and competitors that were extremely insecure.

Sometimes people really neglect the security of his applications exposing his customers data and opening opportunities for criminals to take illegal advantages over his systems.

For that reason I decided to write about the 4 most basic security actions that every developer, business or consultant must take in order to have a minimal level of security of his apps.

Always use HTTPS for backend communication

There are no excuses to not use it. Currently you can get free SSL/TLS certificates from let’s encrypt that also gives you a tool called certbot to handle the setup and renewal the certificates on your cloud servers.

If you are using a paid instance of Heroku you can use the Automated Certificate Management that manages your SSL certificates automatically with just one click.

Never put external API keys on your frontend application code

If you are using any external service through an API like Google Maps API or Stripe API you must never put the API keys on your frontend javascript code or on your iOS/Android APP code.

These keys can be easily discovered by a malicious user that can use your keys into his own apps or mess up with your API limits. Or even worse, if the API key stored on the frontend app is related to some sensitive system like a payment API, an attacker can cause some real damage to your application.

The solution for this problem is very simple. You can create a proxy between your frontend app and the external service API that will store the API key and use it as necessary. In this solution, your frontend will call the proxy with no API key and the proxy will add the API key and route the request to the external provider's endpoint.

Obfuscate your frontend code

The obfuscation of code consists in creating some code that humans cannot easily understand while still maintaining the functionality of the code. Basically, if you take a look at an obfuscated you will not understand very much because the code will have variable names, functions names and class names that makes no sense. Also, the code will have some useless flows created to difficult the reverse engineering of the code.

The obfuscation process is important because some of your code will run on the user's device and can be accessible by anyone, for instance, javascript that runs on the browser or the java code of an Android APK that can be easily decompiled.

This obfuscation can be done with tools like Proguard for Android, UglifyJS for javascript or Obfuscator iOS for swift apps. Most of the MVC frameworks like Rails, Django or ASP.NET MVC includes javascript obfuscation by default.

If your application handles credit card data you must comply with the PCI standard

The credit card industry is very rigorous about the security of cardholder data. For that reason you must know and comply with the PCI DSS standard if your applications is handling credit card data.

A credit card leak on your application can take you out of business because depending on the size of the leak you can be fined by the credit card brands. There are some news about very high fines applied to companies that leaked credit card data, like the Target breach in 2013 and more recently the Home Depot breach.

Depending on the number of credit card transactions that your application handles, you must be certified by an official PCI assessor and pass through an yearly auditing process.

Fortunately there are some tools that can help you to reduce the risk associated with credit card data. You should get familiar with tools like credit card tokenization, firewalls and access control of card data.

The PCI standard gives a lot of best practices that can help you to increase not only the credit card data security but the overall security of your application.

More

These four security tips are very basic and every app must follow them. But keep in mind that there is a lot more that you have to do to ensure that your application is really secure and to protect your apps, systems and your business.